Connected IO v2.1.0 and prior uses a hard-coded username/password pair embedded in their device's firmware used for device communication using MQTT. An attacker who gained access to these credentials is able to connect to the MQTT broker and send messages on behalf of devices, impersonating them. in order to sign and verify JWT session tokens, allowing attackers to sign arbitrary session tokens and bypass authentication.
Metrics
Affected Vendors & Products
References
History
Thu, 17 Oct 2024 15:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-08-04T00:00:00
Updated: 2024-10-17T15:06:35.371Z
Reserved: 2023-05-22T00:00:00
Link: CVE-2023-33372
Vulnrichment
Updated: 2024-08-02T15:47:05.110Z
NVD
Status : Modified
Published: 2023-08-04T18:15:11.883
Modified: 2024-11-21T08:05:29.933
Link: CVE-2023-33372
Redhat
No data.